Your Detections Won't Catch This
The logs will look clean. That's the problem.
Picture this activity hitting your SIEM:
09:02 – Agent reads a document from SharePoint
09:03 – Agent queries the internal CRM
09:04 – Agent queries the HR database
09:05 – Agent creates a ticket in ServiceNow
09:06 – Agent provisions an AWS resourceEvery request authenticated. Every action authorized. Every event looked like legitimate work.
Which detection rule fires?
None.
And that's not a gap in your coverage. That's your coverage working exactly as designed.
Traditional detection engineering was built for a different world, one where threats left clear fingerprints in login patterns, process execution, known signatures or deviations from baseline.
AI agents don't behave like attackers. They behave like legitimate systems.
They use the same APIs your applications use. They touch the same data your workflows touch. They follow paths your controls were explicitly built to allow.
The difference between an agent doing exactly what it should and one doing something it shouldn't isn't visible in any individual event.
It only becomes visible when you look at what those events produced together.
Your rules hunt for impossible travel, privilege escalation, suspicious PowerShell, process injection, known malicious hashes and lateral movement. Every one of those detections assumes the threat behaves differently from the baseline.
Now look at what agentic misuse looks like.
The agent calls SharePoint, then HR, then Payroll, then Azure Key Vault. Every call succeeds. Every call is authorized. The agent has never executed that sequence before, but your rules aren't watching sequences. They're watching events.
Nothing fires.
The detection gap isn't that the activity is invisible. It's that the activity is indistinguishable from normal until you understand what the agent was trying to accomplish.
Nothing looked suspicious until you understood the objective.
Most SIEM detections assume events are meaningful on their own, that risk surfaces at the individual event level and that behavior can be reduced to signatures or thresholds.
AI agents break that model.
A single action tells you almost nothing. A sequence can reveal an unexpected transition between systems, context that should never have influenced a decision, an objective fulfilled through an unintended path or behavior that no longer aligns with the workflow the agent was given.
None of those conditions fire existing alerts.
They only become visible when you ask a different question:
Does this chain of actions make sense?
That's the shift.
Instead of asking whether an action looks suspicious, you have to ask whether the behavior was expected.
Detection doesn't move from events to better rules.
It moves from events to sequences, and eventually to objectives.
There's an analyst dimension to this that doesn't get enough attention.
Today's SOC analyst investigates alerts. Something fires, and the analyst works backward to understand what caused it.
That model breaks when the signal never appears.
In an agentic environment, the analyst has to investigate the objective. Not "What happened at 09:04?" but "What was this system trying to accomplish? What did it touch along the way? Did that behavior align with the objective it was given?"
That's a different workflow.
Most SOC environments aren't built for it yet.
The next generation of detection engineering won't be built around identifying malicious events.
It will be built around recognizing when legitimate events combine into behavior that was never intended.
Today's analyst investigates alerts. Tomorrow's analyst investigates objectives.
Teams are going to stare at perfectly healthy-looking logs and still ask:
"Why didn't we catch that?"
Because there was nothing suspicious in the individual events.
The signal was in the sequence.